From be58439a62f97b79ef9921d7904f1f8cff286a71 Mon Sep 17 00:00:00 2001 From: Roi Glinik Date: Wed, 3 Jun 2026 12:00:40 +0300 Subject: [PATCH] switch base image to distroless python3-debian13 to eliminate CVE surface Replaces the python:3.12-slim runtime base with gcr.io/distroless/python3-debian13. The previous base shipped openssl/glibc userland binaries flagged by DSA-6113-1 (11 CVEs incl. CVSS 8.1 stack buffer overflow in CMS AuthEnvelopedData parsing) and glibc 2.41-12 fixes pending in 2.41-12+deb13u2. Distroless ships only the shared libs Python needs, no shell, no package manager. Builder stage bumped to python:3.13-slim to match the runtime Python; pydantic bumped to >=2.11.7 for Python 3.13 wheel availability. Final image's CMD relies on the distroless ENTRYPOINT being python3. Adds config/test-definitions.yaml as a runnable example and .gitignore covering *.env for local credential files. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitignore | 18 ++++++++++++++++++ builder/Dockerfile | 14 ++++++-------- builder/requirements.txt | 2 +- config/test-definitions.yaml | 22 ++++++++++++++++++++++ 4 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 .gitignore create mode 100644 config/test-definitions.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6420391 --- /dev/null +++ b/.gitignore @@ -0,0 +1,18 @@ +# Secrets / local overrides — never commit +config/rbac-builder-job.yaml +*.values +*.env + +# Python +__pycache__/ +*.py[cod] +*.egg-info/ +.venv/ +venv/ +dist/ +build/ + +# IDE +.idea/ +.vscode/ +*.iml diff --git a/builder/Dockerfile b/builder/Dockerfile index ca86dea..3efac01 100644 --- a/builder/Dockerfile +++ b/builder/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12-slim as builder +FROM python:3.13-slim AS builder ENV LANG=C.UTF-8 ENV PYTHONDONTWRITEBYTECODE=1 @@ -10,19 +10,17 @@ WORKDIR /app COPY requirements.txt requirements.txt RUN python -m venv /app/venv -RUN pip3 install --use-deprecated=legacy-resolver -r requirements.txt +RUN pip3 install --use-deprecated=legacy-resolver --upgrade "pip>=25.3" \ + && pip3 install --use-deprecated=legacy-resolver -r requirements.txt -FROM python:3.12-slim +FROM gcr.io/distroless/python3-debian13 WORKDIR /app/ ENV PYTHONUNBUFFERED=1 -ENV PATH="/venv/bin:$PATH" -ENV PYTHONPATH=$PYTHONPATH:. +ENV PYTHONPATH=/app:/venv/lib/python3.13/site-packages COPY ./ ./builder/ COPY --from=builder /app/venv /venv -ENV PYTHONPATH=$PYTHONPATH:. - -CMD [ "python3", "-u", "/app/builder/main.py"] \ No newline at end of file +CMD ["-u", "/app/builder/main.py"] diff --git a/builder/requirements.txt b/builder/requirements.txt index 7490e33..96195c8 100644 --- a/builder/requirements.txt +++ b/builder/requirements.txt @@ -1,4 +1,4 @@ -pydantic==2.7.1 +pydantic>=2.11.7 supabase==2.28.0 httpx[http2] regex diff --git a/config/test-definitions.yaml b/config/test-definitions.yaml new file mode 100644 index 0000000..0b9a11f --- /dev/null +++ b/config/test-definitions.yaml @@ -0,0 +1,22 @@ +account_id: 6c2cbf41-c7b5-48ab-9777-76d320b985d4 +scopes: + - name: test-namespace-scope + type: namespace + clusters: + test-cluster-a: ["default", "kube-system"] + test-cluster-b: ["*"] + - name: test-cluster-scope + type: cluster + clusters: + test-cluster-c: ["*"] +groups: + - name: test-viewers + provider_group_id: 11111111-1111-1111-1111-111111111111 + type: namespace + permissions: ["POD_LOGS", "METRICS_VIEW"] + scopes: ["test-namespace-scope"] + - name: test-admins + provider_group_id: 22222222-2222-2222-2222-222222222222 + type: cluster + permissions: ["CLUSTER_DELETE", "POPEYE_SCAN", "NODE_DRAIN"] + scopes: ["test-cluster-scope"]